As cyber attacks continue to increase in frequency, a company's cybersecurity action plan must be able to rein in and mitigate threats as they develop.
ISACA’s third annual cybersecurity study finds that this issue is increasingly a business priority. The challenge? Resources and available skills are not keeping pace with a threat landscape that is rapidly escalating in complexity and volume.
The ISACA survey targets managers and practitioners who have cybersecurity job responsibilities. Respondents primarily came from North America (42 percent) and Europe (31 percent), and were employed in an enterprise with at least 1,500 employees (49 percent).
Its "State of Cyber Security 2017" report compares the results of this year's survey with previous results to determine recognizable trends that impact how cybersecurity is practiced, particularly where such trends point to an overall shift in the profession.
With this in mind, here are four trends shaping cybersecurity in 2017:
As cybersecurity budgets fall short, businesses are increasingly relying on third-party vendors. (Photo: Shutterstock)
No. 4: Growing areas of concern
Organizations with a chief information security officer (CISO) in 2017 increased to 65 percent compared to 50 percent in 2016. Staffing challenges and budgetary distribution, however, reveal where organizations face exposure.
Finding qualified personnel to fill cybersecurity positions is as ongoing challenge. For example, one-third of study respondents note that their enterprises receive more than 10 applicants for an open position. More than half of those applicants, however, are unqualified. Even skilled applicants require time and training before their job performance is up to par with others who are already working on the company's cybersecurity operation.
Half of the study respondents reported security budgets will increase in 2017, which is down from 65 percent of respondents who reported an increase in 2016. This, along with staffing challenges, has many enterprises reliant on both automation and external resources to offset missing skills on the cybersecurity team.
Another challenge: Relying on third-party vendors means there must be funds available to offset any personnel shortage.
If the skills gap continues unabated and the funding for automation and external third-party support is reduced, businesses will struggle to fill their cybersecurity needs.
As cyberattacks increase in volume and sophistication, businesses are increasingly exposed, particularly as their budgets to fight such breaches are declining. (Photo: Shutterstock)
No. 3: More complicated cyber threats
Faced with declining budgets, businesses will have less funding available on a per-attack basis. Meanwhile, the number of attacks is growing, and they are becoming more sophisticated.
More than half (53 percent) of respondents noted an increase in the overall number of attacks compared previous years. Only half (roughly 50 percent) said their companies executed a cybersecurity incident response plan in 2016.
Here are some additional findings regarding the recent uptick in cyber breaches:
• 10 percent of respondents reported experiencing a hijacking of corporate assets for botnet use;• 18 percent reported experiencing an advanced persistent threat (APT) attack; and
• 14 percent reported stolen credentials.
• Last year’s results for the three types of attacks were:
• 15 percent for botnet use;
• 25 percent for APT attacks; and
•15 percent involving stolen credentials.
Phishing (40 percent), malware (37 percent) and social engineering (29 percent) continue to top the charts in terms of the specific types of attacks, although their overall frequency of occurrence decreased: Although attacks are up overall, the number of attacks in these three categories is down.
Managing the Internet of Things (IoT) has risen as an area of business concern. (Photo: Shutterstock)
No. 2: Mobile takes a backseat to IoT
Businesses are now more sophisticated in the mobile arena. The proof: Cyber breaches resulting from mobile devices are down. Only 13 percent of respondents cite lost mobile devices as an exploitation vector in 2016, compared to 34 percent in 2015. Encryption factors into the decrease; only 9 percent indicated that lost or stolen mobile devices were unencrypted.
IoT continues to rise as an area of concern. Three out of five (59 percent) of the 2016 respondents cite some level of concern relative to IoT, while an additional 30 percent are either "extremely concerned" or "very concerned" about this exposure.
IoT is an increasingly important element in governance, risk and cybersecurity activities. This is a challenging area for many, because traditional security efforts may not already cover the functions and devices feeding this digital trend.
Ransomware continues to be favorite means of attack for criminals. Respondents believe this is likely because of the possibility for financial gain. (Photo: Shutterstock)
No. 1: Ransomware is the new normal
The number of code attacks, including ransomware attacks, remains high: 62 percent of respondents reported their enterprises experienced a ransomware attack specifically.
Half of the respondents believe financial gain is the biggest motivator for criminals, followed by disruption of service (45 percent) and theft of personally identifiable information (37 percent). Despite this trend, only 53 percent of respondents' companies have a formal process in place to deal with ransomware attacks.
What does that look like?
Businesses can conduct "tabletop" exercises that stage a ransomware event or discuss in advance decisions about payment vs. non-payment. Payment may seem like the easiest solution, but law enforcement agencies warn it can have an encouraging effect on those criminals as some cases lead to repeated attacks of the same business.
Many cybersecurity specialists argue that the best way to fight a ransomware attack is to avoid one in the first place. Advance planning that might include the implementation of a governing corporate policy or other operating parameters, can help to ensure that the best cybersecurity decisions are made when the time comes to battle a breach.
Originally published on PropertyCasualty360. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.